Security Best Practices Checklist

Review IAM roles, k8s RBAC bindings, and service account scopes used by application code. Flag any wildcards (s3:*, * resource), cross-account assume-role chains, and long-lived access keys. New services often start with broad permissions during dev and never get tightened — this is the moment to fix it.

Walk OWASP Top 10 A03 (Injection) against API request handlers, GraphQL resolvers, and any code that builds SQL, shell commands, or template strings from user input. Parameterized queries and schema validation (zod, pydantic, JSON Schema) at the edge — not deep in business logic.

Confirm production error responses don't leak stack traces, SQL fragments, internal hostnames, or environment variable contents. Sentry/Bugsnag dashboards are fine; user-facing 500 pages are not. Check that exception middleware is wired up in every service, including new ones added this quarter.

Run gitleaks or trufflehog across all repos and confirm GitHub secret scanning + push protection is enabled at the org level. Any hits require rotation of the credential AND removal from git history with git-filter-repo — rotating alone leaves the secret discoverable in old commits.

Confirm MFA is required (not optional) on the GitHub org, AWS root + IAM users, the SSO IdP (Okta/Google/Entra), and any vendor consoles holding production access. Webauthn/passkeys preferred over TOTP; SMS MFA is no longer acceptable for production access per NIST 800-63B.

Pull access reports from GitHub, AWS, Datadog, the production database, and any vendor SaaS in scope for SOC 2. Cross-reference against current employee roster from HRIS. Departed engineers, role changes, and contractor end-dates are the usual hits. Vanta/Drata can automate the pull but a human still reviews.

Remove access from each system flagged in the review, capture before/after screenshots or API output, and attach to the SOC 2 evidence ticket. Auditors will want to see both the review artifact and the remediation timestamp.

Confirm session cookies have Secure, HttpOnly, and SameSite=Lax (or Strict) set, and idle timeout is configured to your policy (commonly 30 min for admin, 12-24h for regular users). Check both the application and any reverse proxy (Cloudflare, ALB) overriding cookie attributes.

Run SSL Labs against public endpoints; confirm TLS 1.2 minimum, modern cipher suites, HSTS header. For data at rest, verify RDS/S3/EBS volumes have KMS encryption enabled with customer-managed keys where required by contract. Check that backups inherit encryption — a common miss.

List all TLS certs (ACM, Let's Encrypt, vendor-issued) and confirm none expire within 60 days without an automation path. The classic outage: ACME renewal broke 30 days ago, the alert went to a deprecated Slack channel, the cert expires Saturday. Verify the alert destination is a current channel.

Verify retention jobs match the published privacy policy and any contractual DPAs. Check that GDPR/CCPA deletion requests propagate to backups, analytics warehouse (Snowflake/BigQuery), and downstream sub-processors. Soft-delete-only schemes don't satisfy GDPR Article 17.

Reconcile the data map against any new vendors onboarded this quarter. Each new sub-processor handling customer data needs a signed DPA, updated public sub-processor page (GDPR transparency), and BAA if PHI is involved.

Pull open findings from Semgrep/CodeQL (SAST) and Snyk/Dependabot (SCA). Filter by CVSS ≥ 7.0 and reachability if your tool supports it — most transitive CVEs aren't actually reachable. Close out anything stale and assign owners to remaining criticals.

Run OWASP ZAP or Burp Suite Pro authenticated scan against the staging environment with a seeded test user. Don't scan production — scans trigger rate limits, alerting, and occasionally crash unhardened services.

If an external pentest was conducted this cycle (annual minimum for SOC 2 Type II), walk the report findings with the security lead. Categorize each by severity and acceptance/remediation status.

For each critical/high finding from pentest, SAST, or DAST, create a Jira/Linear ticket with the CVE or finding ID, owner, and target remediation date (30 days for critical per most policy SLAs). Link tickets back to the source report for the auditor trail.

Look for any security group with 0.0.0.0/0 on non-public ports (22, 3306, 5432, 6379). SSH should be behind SSM Session Manager or a bastion; databases should never be internet-reachable. CSPM tools (Wiz, Lacework) generate this report automatically if available.

Run terraform plan against prod state and confirm no unexplained drift. Console-edits during incidents are common and should be backported to code or reverted. Atlantis/Spacelift drift detection can run this continuously.

Check that base images (Alpine, Debian-slim, distroless) were rebuilt within the last 30 days and pushed through CI. Stale base images are how Log4Shell-class CVEs persist long after the upstream fix. Confirm Trivy or Grype scans run on every image build.

Pick the most recent RDS snapshot and a recent S3 backup, restore both into the staging account, and run a smoke test against the restored data. Backup-success metrics being green is not the same as backups being restorable — most teams discover the gap during a real incident if they don't drill.

Walk a realistic scenario (data exfil, ransomware in build infra, leaked customer credential) with the IC, comms lead, and scribe roles assigned. The output is a list of gaps — missing runbooks, unclear escalation paths, status-page authorship confusion. SOC 2 CC7.4 expects this annually; quarterly is better.

Pull pages-per-week and acknowledged-vs-actioned ratios. Alerts with low actionability should be tuned or deleted; persistent off-hours pages indicate either a real reliability gap or alert noise. Confirm every production service has at least two named on-call owners.

SOC 2 expects 12 months of audit logs minimum; HIPAA expects 6 years for PHI access logs. Confirm CloudTrail, application audit logs, and authentication logs (SSO IdP) are retained accordingly and queryable. Check that log integrity (CloudTrail log file validation, immutable S3) is enabled.

Engineering manager or security lead signs off, capturing a summary of findings, open remediations, and next-quarter focus areas. This artifact is the SOC 2 evidence for the review having occurred.